In March 2022, the PCI DSS (Payment Card Industry Data Security Standard) underwent a major update (v4.0) to align the standard with emerging technologies and threats; to add flexibility to how covered entities can achieve compliance; and to drive security as a continuous process.
Merchants, service providers, and assessors need to implement new procedures when the latest update takes effect on March 31, 2024. For the meantime, all stakeholders can familiarize themselves with the updated requirements, forms, and reporting templates well before the current version (v3.2.1) gets retired on the same date.
Qualified Security Assessors (QSAs) can conduct formal PCI DSS v4.0 audits only after completing the necessary training. Covered entities on the other hand, can use the interim period to review the changes and have their internal team or managed compliance provider build a strategy on how their organization can best adjust with the changes and adhere with the new standard.
One of the major procedural changes all stakeholders need to implement is the new v4.x Worksheet the PCI Security Standards Council (PCI SSC) announced in June 2023.
New PCI DSS v4.0 Worksheet and Guidelines
To support security as a continuous process, the PCI SSC published the Items Noted for Improvement (INFI) Instructions and Worksheet. Incorporating feedback from the global payments community, the worksheet aims to document areas in an organization’s security layer that need improvement, and to support the organization in effectively addressing those areas over time.
The INFI worksheet serves as an internal document between the assessor and the assessed entity. QSAs need to complete the worksheet for all PCI DSS v4.0 assessments included in a Report on Compliance (ROC). While it is not required for self-assessments conducted by Internal Security Assessors (ISA), it is still recommended as a valuable tool for organizations to enhance their security posture by identifying and addressing areas that need improvement.
Assessors need to complete the worksheet for all initially lacking requirements that were eventually addressed by the organization and later verified to be in place. QSAs must also sign the INFI Worksheet Acknowledgement and Attestation, providing a copy to the assessed organization before signing off on ROC/AOC (Attestation of Compliance). While not required, ISAs are encouraged to follow these updated practices as well.
Self-Assessment Questionnaires (SAQs) Also Available
Merchants and service providers that qualify for SAQs also have an updated documentation process under PCI DSS v4.0. They can use the updated questionnaires to report the results of their self-assessment and validate their compliance.
The updated SAQs incorporate payment community feedback and includes:
- Formatting and content improvements
- New requirements for addressing emerging threats
- New appendices
- Improvements in AOCs and ROCs
New Requirements for QSAs
PCI DSS v4.0 also impacts the role of Qualified Security Assessors. Among several updates, there’s a new requirement for QSA companies to have a documented sampling methodology. QSAs are also expected to incorporate the INFI processes discussed earlier in their standard workflow. Finally, the QSA Program Guide provides guidance on how to conduct assessments remotely. The updated program documents take effect immediately, with QSAs having until October 2023 to implement the changes.
Two Approaches to PCI DSS 4.0 Compliance
One of the key changes introduced by the latest version of PCI DSS is the enhanced flexibility in how organizations can meet requirement objectives. There are now two fundamental methods for meeting the requirements:
- The Defined Approach. This is essentially how adherence to PCI standards has always been assessed, with unmet requirements or compliance gaps being addressed by verified compensating controls.
- The Customized Approach. This is the new approach introduced by Version 4 that expands the range of methods an organization can use to achieve compliance. Instead of just meeting requirements as stated, covered entities can implement custom or innovative controls that fit their unique environments and meet the intended objectives of each requirement. This approach suits organizations with mature security infrastructure and requires a targeted risk analysis for each relevant requirement. Because there’s no one-size-fits-all template, assessors are accountable for deriving the specific testing procedures for this approach.
PCI DSS 4.0 is rapidly closing in. There are 64 new requirements in the updated standard, effectively overhauling many of the procedures your company needs to perform to demonstrate compliance. Now is the time to reassess your security practices against the new requirements, identify loopholes, and update how your organization protects payment card data.
One way to streamline and accelerate your adherence to the new standard is to engage trusted PCI experts, specifically QSA’s that have been certified to perform version 4 assessments. The sooner you get your business aligned with the latest PCI standard, the more head start you gain in assuring stakeholders and attracting customers.